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(57) ABSTRACT 

A system and method for load balancing. A packet is 
received at a firewall, which implements a rule and refers the 
packet to a load balancing proxy. The proxy performs a load 
balancing analysis at the load balancing proxy. Based on the 
results of the load balancing analysis, the proxy determines 
a load balancing rule, which is implemented by the firewall. 
At the end of the session to which the received packet 
belongs, the load balancing rule is deleted at the firewall. 
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SYSTEM AND METHOD FOR NETWORK 
LOAD BALANCING 

CROSS REFERENCE TO RELATED 
APPLICATIONS 

This application claims priority to provisional application 
60/105,192 entitled "SYSTEM AND METHOD FOR NET- 
WORK LOAD BALANCING," filed Oct. 22, 1998, the 
contents of which are incorporated herein by reference. 

HELD OF THE INVENTION 

The field of the invention is load balancing, and in 
particular using a. firewall to perform load balancing. 

BACKGROUND OF THE INVENTION 

A known load balancer is configured as a proxy server that 
receives a packet of information, performs some analysis on 
the packet to select a destination server, and then forwards 
the packet to the selected server. However, in order to 
perform load balancing on a packet, the packet must be 
addressed by its sender to the balancer, not to the packet's 
actual intended destination. This disadvantageously adds an 
additional layer of complexity in the addressing scheme for 
the sender to obtain service from the destination server. 
Further, a known balancer performs substantial analysis of 
each packet, which absorbs processor resources of the 
balancer, adds a delay to the delivery of the packet to its 
actual intended destination, and increases the chances that a 
packet will be erroneously dropped. 

A firewall regulates the flow of packetized information. A 
packet includes a header and a payload. The header includes 
header information (header parameters), which can include 
a source and destination address for the packet, as well as 
source and destination port numbers, a protocol number, a 
physical location identifier, flags, a priority indicator 
(ROUTINE, URGENT, etc.), security information, etc. The 
payload includes the data meant to be conveyed by the 
packet from its source to its intended destination. A known 
firewall is placed between the packet's source and intended 
destination, where it intercepts the packet. A known firewall 
filters a packet based upon the packet's header parameters 
and a rule loaded into the firewall. The rule correlates a 
pattern in the header of a packet with a prescribed action, 
either PASS or DROP llie filter identifies the rule that 
applies to the packet based upon the packet's header, and 
then implements the rule's prescribed action. When a DROP 4S 
action is performed, the packet is blocked (deleted), and 
does not reach its intended destination. When a PASS action 
is performed, the packet is passed on toward its intended 
destination. The set of rules loaded into a firewaU reflect a 
security policy, which prescribes what type of infonnation is 
permissible to pass through the firewall, e.g., from which 
source, to which destination, for which applications, etc. 

The analysis performed by a firewall in deciding what 
action to perform with respect to a packet is much less 
extensive than the analysis performed by a known load 
balancer in deciding where to route a packet. Therefore, a 
firewall action on a packet can be performed more quickly 
and with less burden on a processor than can a known load 
balancer. Also, a packet need not be addressed to a firewall 
in order to be acted on by the firewaU, unlike a known load 
balancer. Thus, a firewall advantageously acts on a packet 
transparently, i.e., without requiring any special action on 
the part of the packet's sender. 

SUMMARY OF THE INVENTION 
In accordance with an embodiment of the present 
invention, a packet is received at a firewall, which imple- 



30 



35 



50 



55 



60 



65 



ments a rule and refers the packet to a load balancing proxy. 
The proxy performs a load balancing analysis at the load 
balancing proxy. Based on the results of the load balancing 
analysis, the proxy determines a load balancing rule, which 
is implemented by the firewall. At the end of the session to 
which the received packet belongs, the load balancing mle 
is deleted at the firewaU. 

The present invention provides at least two advantages 
over the prior art. Load balancing using a firewall is trans- 
parent to the sender compared with known load balancers, 
which are not transparent. The sender can advantageously 
address its packets to their intended destination, and need 
not specially address the packet to an intermediary, as with 
a load balancer. Also, the routing performed by a firewall 
implementing a rule is much quicker and more eflBcient than 
the routing performed by a load balancer. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 shows an apparatus in accordance with an embodi- 
ment of the present invention. 

FIG. 2 shows a system in accordance with an embodiment 
of the present invention. 

FIG. 3 is a flow chart illustrating the method in accor- 
dance with one embodiment of the present invention. 

DETAILED DESCRIPTION 

An apparatus in accordance with an embodiment of the 
present invention is shown in FIG. 1. Peer A 201 (the sender) 
sends a packet of information addressed to destination Peer 
B 202 (the destination) through filtering device 203. Filter- 
ing device 203 comprises a processor 204, a memory 205 
that stores firewall rules 206 and load balancing instructions 
207 adapted to be executed by processor 204 to perform 
steps of the method in accordance with an embodiment of 
the present invention, i.e., receive a packet, implement a rule 
that refers the packet to a load balancing proxy, perform a 
load balancing analysis at the load balancing proxy, deter- 
mine a load balancing rule based on the results of the load 
balancing analysis, and implement the load balancing mle at 
the firewall. 

In one embodiment of the present invention, a load 
balancing rule is determined from a predetermined set of 
load balancing rules stored at memory 205. In one 
embodiment, that part of memory 205 that stores the set of 
load balancing rules is located at the same site as processor 
204. In another embodiment, that part of memory 205 that 
stores a set of load balancing rules is located at another site 
than processor 204, e.g., at an external database. In one 
embodiment, sets of load balancing rules are stored at 
several locations in a distributed fashion. In one 
embodiment, a load balancing rule is dynamically con- 
stmcted by a load balancing proxy, base upon the results of 
a load balancing analysis. As used herein, "determining" a 
load balancing rule is meant to include the process of 
dynamically constructing such a load balancing mle. 

In one embodiment, the load balancing instructions 
include firewall instructions ("firewall" when being 
executed by a processor 204) and load balancing proxy 
instructions ("load balancing proxy" when being executed 
by a processor). The firewaU performs firewall functions, 
which include receiving a packet, implementing a rule and 
referring the packet to the load balancing proxy, and imple- 
menting a load balancing rule. The load balancing proxy 
performs proxy functions, including performing a load bal- 
ancing analysis and determining a load balancing mle based 
on that analysis. 
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The filtering device 203 also includes a first port 208 vary to suit the particular connectivity required of a filtering 

through which the packet is received from Peer A 201, and device 203 in a given situation, i.e., in a given context or 

a second port 209 through which the packet will pass to Peer architecture in which parties communicate through filtering 

B 202 through network 210 if the pertinent rule prescribes device 203. An embodiment of the present invention is 

a PASS action with respect to the packet. Ports 209 and 210, 5 advantageously scalable, in part because in one 

memory 205 and processor 204 are coupled. The term embodiment, the load balancing rule only determined and 

"coupled" is intended to encompass and be broader than the implemented only for a single session. A session is defined 

term "directly connected." If A is directly connected to B, herein to be "an active communications connection, mea- 

and B is directly connected to C, then A is said to be ^^^^^ ^^"^ begmmng to end between computei^ or apph- 

"coupled" to C. In other words the term coupled includes the lo ^.^'^^"t^V .^^^ ^'"^nnV Telecom Dictionary, 

term "indirectly connected." "^"^ Newton, 1999. page 706. In one 

-./v^ J . . .. embodiment, the load balancing rule is deleted at the firewall 

I'eers 2U1 and 202 are each a computer w,m a permanent ^^^^ 

session is terminated. 

or temporary network address. Network 210 is any mfor- , . . . r 

matioD systems network across which the information in the . '° .^"^^ embodiments, the functions of the presetit 

packet can be sent. Examples of network 210 include the « ""^enuon are performed on separate nodes^ In one emboi- 

. , -i^i -* ment shown in FIG. 2. a packet is received firom a sender 301 

Internet, an mtranet, a vurtual private network, etc. , r i r • j ijvi -^n^ j iao 

. ^ atone302of aplurahtyof receivmgnodes302,307and308. 

In one embodunent, processor 204 is a general purpose ^^^^ 392 then applies a rule and refers the packet to a load 

microprocessor, such as the Pentium II microprocess or balancing proxy. The load balancing proxy can perform its 

manufactured by the Intel Corporation of Santa Clara, CaUf. ^^alysis at a separate node 305 that can advantageously 

In another embodiment, processor 204 is an AppUcation f^nction as a central load balancing coordinator. The central 

Specific Integrated Circmt (ASIQ. which has been specifi- i^^d balancing coordinator 305 sends a load balancing rule 

cally designed to perform at least some of the steps of the to node 302 that instructs the firewaU at node to route 

method m accordance with an embodiment of the present packets to the destination server selected by the coordinator 

invention. ASICs are well-known in the art for appUcatioo 300 to balance load. Node 302 then implements the load 

such as digital signal processmg. In an embodiment of the balancing rule. This further illustrates the advantageous 

present invention that includes an ASIC, at least part of the scalabihty of the present invention. Only relatively few 

rule instructions 207 can be implemented in the design of the coordinator sites (in relation to the number of receiving 

nodes) are needed to perform load balancing analysis and 

Memory 205 can be Random Access Memory (RAM), a determine load balancing mles. 

hard disk, a floppy disk, an optical digital storage medium, a flow chart showing the method in accordance with an 

or any combination thereof. Memory 205 is meant to encom- embodiment of the present invention is shown in FIG, 3. A 

pass any means for storing digital information, although at packet is received at a firewall, step 101. A rule is applied by 

least part of the memory 205 should be writable. The present the firewaU to the packet that refers the packet to a load 

invention encompasses memory 205 structures that are 35 balancing proxy, step 102. In one embodiment, the load 

distributed, i.e.. the rules and instructions stored in memory balancing proxy performs a load balancing analysis, step 

205 may be stored in separate stmctures that are accessible 103, based upon the intended destination (i.e., the destina- 

to the processor 204. for example, through a network. For tion address) of the packet. The load balancing proxy 

example, in one embodiment, rules 206 are stored on a hard determines a load balancing rule based upon the load 

disk on a server coupled through a network to the processor ^ balancing analysis performed, step 104. The load balancing 

204, while the load balancing instructions 207 are stored in nile is implemented by the firewall, step 105. In one 

RAM coupled to the processor through a bus, the RAM, embodiment, when the session to which the received packet 

processor 204 and bus being co-located as parts of the same belonged is terminated, the rule is deleted, thereby advan- 

computer. tageously saving memory resources. Thus, it is determined 

The processors and memory are coupled to ports through 45 if the session is terminated, step 106. If it is terminated, then 

which a packet can be received and/or sent. In one embodi- the load balancing rule is deleted, step 107. 

ment of the present invention, the firewall functions In one embodiment of the present invention, a load 

(receiving a packet, implementing a rule and referring a balancing analysis is performed by the load balancing proxy 

packet to a load balancing proxy, and implementing a load on only the first packet of a message. The appropriately load 

balancing rule) are implemented as a part of the kernel, i.e., 50 balancing rule is constructed, and then loaded into the 

at a relatively low level at which operating system processes firewall. Subsequent packets in the message are then filtered 

are executed. Thus implemented, the firewall functions take in accordance with the rule constructed for the first packet of 

advantage of the kernel's protected memory, rendering the the message. The speed of the load balancing performed by 

firewall functions robust and less vulnerable in the event of an embodiment of the present invention is thereby increased 

a system failure. In the kernel's protected memory, the 55 over known systems, because the load balancing is per- 

firewall functions are protected from user applications that formed at the kernel level using firewall rules, rather than at 

are being executed. The load balancing proxy instructions the slower application level. Functions performed by the 

arc executed at the application level, i.e., the level at which kernel are faster because they are performed at a more 

software applications (e.g., a word processor, a spreadsheet, elemental level (the operating system)than functions per- 

etc.) are executed. 5q formed at the application level Functions performed at the 

Ports 208 and 209 shown in FIG. 1 only illustrate one application layer utilize the kernel and other software to 

embodiment of the present invention. In the embodiment execute. 

shown in FIG. 1, port 208 is dedicated to communication An embodiment of the present invention is not only faster, 

with peer A 201 while port 209 is dedicated to communi- but is also more flexible than known systems. The load 

cation with peer B 202 through network 210. In one 65 balancing proxy can advantageously quickly dynamically 

embodiment, there are a plurality of ports to and from change the rules used for load balancing by the firewall in 

numerous destinations. The port configuration is expected to response to changing load conditions at the servers to which 
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message traffic is directed. For example, a load balancing 
proxy can change the firewall rule that directs a message (or 
session) to a particular server midstream, i.e., at any point 
after the beginning of the message or session and before the 
end, if this can be handled without interrupting the service 5 
provided by the servers being balanced. This can be done 
several times per message or session in accordance with an 
embodiment of the present invention. 

One method in accordance with an embodirnent of the 
present invention for dynamically changing a load balancing 
rule includes sending a packet received at the firewall to the 
load balancing proxy. The load balancing proxy constructs a 
load balancing rule X based upon the packet, and loads it at 
the firewall. The load balancing rule X directs that packets 
with equivalent characteristics (e.g., similar header "^^ 
parameters) to the packet referred to the load balancing 
proxy be directed to Server A. After a number of these 
packets are received and processed by Server A, Server A 
then becomes congested (heavily loaded), and sends a 
message to the firewall to either generally reduce the amount ^'^ 
of trafSc being directed to Server A, or else specifically to 
redirect the trafiSc being sent in accordance with load bal- 
ancing rule X to another server. The load balancing proxy 
then determines a new rule Y, based in one embodiment 
upon a determination by the proxy of the server best able to 
handle the traffic. Rule Y directs the traffic directed by rule 
X to another server, Server B. Rule Y is then loaded at the 
firewall, and the traffic formerly directed to Server A is now 
directed to Server B. 

30 

In one embodiment, the load balancing proxy uses infor- 
mation contained in several packets to determine a load 
balancing rule. In other words, the information needed to 
make a load balancing determination is spread over several 
packets, all of which the load balancing proxy considers in 35 
determining the appropriate load balancing rule. Once the 
several packets are analyzed, the load balancing proxy 
determines the rule, and it is loaded at the firewall. The rule 
then directs subsequent packets to the appropriate server. 

A medium that stores instructions adapted to be executed 40 
on a processor, like memory 205, is meant to encompass any 
medium capable of storing digital information. Examples of 
a medium that stores instructions include a hard disk, a 
floppy disk, a Compact Disk Read Only Memory (CD- 
ROM), magnetic tape, flash memory, etc. 45 

The term "instructions adapted to be executed" is meant 
to encompass more than machine code. The term "instruc- 
tions adapted to be executed" is meant to encompass source 
code, assembler, and any other expression of instructions 
that may require preprocessing in order to be executed by 
processor. For example, also included is code that has been 
compressed or encrypted, and must be uncompressed and/or 
unencrypted in order to be executed by a processor. 

The present invention advantageously provides a more 55 
efficient system and method for load balancing that is 
advantageously transparent to the sender and recipient of 
packets. 

What is claimed is: 

1. A method for load balancing, including the steps of: 60 

a. receiving a packet at a firewall; 

b. implementing a rule with respect to the packet that 
refers the packet to a load balancing proxy; 

c. performing a load balancing analysis at the load bal- 
ancing proxy; 
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d. determining a load balancing rule based upon the load 
balancing analysis of step c; and 

e. implementing the load balancing rule at the firewall. 

2. The method of claim l,wherein the received packet has 
a source address, source port, destination address, destina- 
tion port and protocol number. 

3. The method of claim 1, further comprising the step of 
performing a PASS action or a DROP action with respect to 
a packet received at the firewall. 

4. The method of claim 1, further including the steps of 
determining if a session is terminated, and if the session is 
terminated, then deleting the load balancing rule at the 
firewall. 

5. An apparatus for load balancing, comprising: 

a. a processor; 

b. a memory that stores a rule and load balancing instruc- 
tions adapted to be executed by said processor to 
receive a packet at a firewall, implementing a rule with 
respect to the packet that refers the packet to a load 
balancing proxy, perform a load balancing analysis at 
the load balancing proxy, determine a load balancing 
rule based upon the load balancing analysis, and imple- 
ment the load balancing rule at the firewall, said 
memory coupled to said processor; 

c. a first port adapted to be coupled to the sender of the 
packet, said first port coupled to said processor; and 

d. a second port adapted to be coupled to the destination 
to which the packet is addressed, said second port 
coupled to said processor. 

6. The apparams of claim 5, wherein said load balancing 
instructions are further adapted to be executed by said 
processor to detect if a session is terminated and to delete a 
load balancing rule. 

7. A medium that stores instructions adapted to be 
executed by a processor to perform steps including: 

a. receiving a packet at a firewall; 

b. implementing a rule with respect to the packet that 
refers the packet to a load balancing proxy; 

c. performing a load balancing analysis at the load bal- 
ancing proxy; 

d. determining a load balancing rule based upon the load 
balancing analysis of step c; and 

e. implementing the load balancing rule at the firewall. 

8. The medium of claim 7, wherein said instructions are 
further adapted to be executed by a processor to perform the 
step of determining that a session is terminated and deleting 
a load balancing rule at the firewall, 

9. A system for filtering a packet that is part of a session 
between applications, that negotiate a connection parameter, 
including the steps of: 

a. means for receiving a packet at a firewall; 

b. means for implementing a mle with respect to the 
packet that refers the packet to a load balancing proxy; 

c. means for performing a load balancing analysis at the 
load balancing proxy; 

d. means for determining a load balancing rule based upon 
the load balancing analysis of step c; and 

■ e. means for implementing the load balancing rule at the 
firewall, 

10. The system of claim 9, further comprising means for 
detecting if a session is terminated and means for deleting a 
rule. 
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